General

  • Target

    4243b819a4cacf20d035b5ea54043c3ca3e74f1ad4c5b00a36e7ff2972ffcacb

  • Size

    1.3MB

  • Sample

    231012-r7fa8sgg43

  • MD5

    38c0044f99107f194b63f9fe29f45f58

  • SHA1

    252b6a6edfc1b97ceb999d563201ece039a11164

  • SHA256

    4243b819a4cacf20d035b5ea54043c3ca3e74f1ad4c5b00a36e7ff2972ffcacb

  • SHA512

    e0724ee785f86706e6c041d8709d9de34a4536844942f558973cb24f231be2f0118b6ad3a67381b5545a266aabc0d8236237846295609406194f5924b4e32974

  • SSDEEP

    24576:px6d5CI3xqGvBSVbGM76eTSAdKIvY8Ss5VtX6rjs:G5CIBqkkN6eTSAQIQJKV4js

Malware Config

Extracted

Family

redline

Botnet

nash

C2

77.91.124.82:19071

Attributes
  • auth_value

    35b6b5194b4fd1ef78124b2387f0c668

Extracted

Family

redline

Botnet

monik

C2

77.91.124.82:19071

Attributes
  • auth_value

    da7d9ea0878f5901f1f8319d34bdccea

Targets

    • Target

      4243b819a4cacf20d035b5ea54043c3ca3e74f1ad4c5b00a36e7ff2972ffcacb

    • Size

      1.3MB

    • MD5

      38c0044f99107f194b63f9fe29f45f58

    • SHA1

      252b6a6edfc1b97ceb999d563201ece039a11164

    • SHA256

      4243b819a4cacf20d035b5ea54043c3ca3e74f1ad4c5b00a36e7ff2972ffcacb

    • SHA512

      e0724ee785f86706e6c041d8709d9de34a4536844942f558973cb24f231be2f0118b6ad3a67381b5545a266aabc0d8236237846295609406194f5924b4e32974

    • SSDEEP

      24576:px6d5CI3xqGvBSVbGM76eTSAdKIvY8Ss5VtX6rjs:G5CIBqkkN6eTSAQIQJKV4js

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Tasks